Friday, March 27, 2009

WinRAR is often used to protect information by compressing and encrypting various files. Since January 2002, WinRAR offers Advanced Encryption Standard [(AES) 128 bits] and it takes a considerable amount of time to decrypt/crack WinRAR files created with WinRAR version 3 and later. Usual techniques are to use Dictionary or Brute force attack utilising tools like AccessData PRTK/DNA or Elcomsoft ARPR (Advanced RAR Password Recovery) or AAPR (Advanced Archive Password Recovery). Even with Tableau Hardware Accelerator it is going to take considerable time to get in. Using FTK imported wordlists may significantly reduce the time of dictionary attack. The wordlist can be used by Elcomsoft password crackers and with PRTK/DNA it is possible to generate a custom dictionary from that list.

I found Elcomsoft ARPR to be much faster performing brute force (approximately 110 pwd/sec compared to PRTK 45 pwd/sec) and only around 21 pwd/sec for dictionary attack (one dual core PC). There is no Elcomsoft DNA (Distributed Network Attack) software available for archive cracking. From my experience, for brute force algorithm to find 4 printable characters passwords with the speed of 110 pwd/sec would take about a week to complete and more than a year for 5 printable characters passwords. PRTK is much slower then Elcomsoft at brute forcing and DNA should be used instead. I found that DNA dictionary attack with around 10 workers (computers) produced a speed of around 500 pwd/sec, which is about three times slower than using the Tableau TACC1441 Hardware Accelerator.

When performing a live analysis, the memory (RAM) dump may produce some valuable information, so it is worth getting the RAM dump even just to get WinRAR passwords stored in memory. I've had some success in getting the passwords from both the RAM dump and hiberfil.sys files by obtaining a word list and using it in the dictionary attack.

There are various tools available to decompress hiberfil.sys file and there are plenty resources discussing the procedure. X-Ways forensics offers the easiest way to decompress hiberfil.sys, and it handles well the fragments. It looks for \x81\x81 xpress chunks and starts decompression from that point. In fact, X-Ways Forensics will have the Edit Convert option greyed out, so the file needs to be opened in an editable mode. Usually I copy hiberfil.sys file somewhere on my desktop and use WinHex that comes with X-Ways Forensics to decompress it.

If no 'Encrypt Filenames' option is used, the filename in the encrypted WinRAR archive can be viewed in clear text. WinRAR also computes and stores CRC-32 values of the archived files and when the files are extracted, WinRAR computes the CRC of the extracted content and compares them with the CRC in the archive.

Where dictionary and brute force attacks failed, CRC can be used to search for uncompressed and unencrypted files on the hard drive that have the same CRC-32 value as encrypted files inside WinRAR archives. X-Ways Forensics is quite suitable for this task. All that is required is to Refine Volume Snapshot and change Computer Hash option to CRC-32.

CRC-32 generates a 32-bit checksum. It's important to note that the purpose of the CRC algorithm is to detect single bit errors during data transmissions and it is not designed to be collision free. Additionally, in theory a bad guy can deliberately generate two files with the same CRC-32 checksum without a problem, but in practise there are far more effective anti-forensic methods.

Friday, March 13, 2009

Mail Viewer for Outlook Express versions 4+ (.idx .mbx and .dbx), Windows Vista Mail and Windows Live mail databases including .eml files. It is very similar to OE Reader and the web site states that it is actually based on MITeC Outlook Express Reader. No installation required, it has only one 520 KB executable file. The viewer handles attachments quite well (text and HTML view) and the most importantly it is absolutely free. It works on Windows 95 --> Vista.

This web site has several interesting little application that may be useful in digital forensics http://www.mitec.cz/ImDisk Virtual Disk Driver is only 266 KB in size (compressed), 'works on both 32-bit and 64-bit versions of Windows' and allows mounting dd images in read & write and read only mode. dd images can be mounted with right click from Windows Explorer and by selecting mountnew virtual disk(Picture 1). It only works with non-splitted dd images and doesn't accept encase images. This small utility with seamless integration into Windows Explorer also allowing you to right click on selected drive and acquire dd image (Picture 2). I have compared this image with dd image of the same drive acquired with FTK Imager and md5 hash matched. ImDisk actually was about 8% faster in acquiring the image then latest version of FTK Imager, but it doesn't create a log file and it is unclear how ImgDisk handles bad sectors and errors. I haven't played with command line switches yet, so the functionality may be already there.

Search other Digital Forensics blogs

About Me

Forensic Technology professional with diverse international experience managing and conducting Digital Investigations in both large and small organisations. A passionate computer security and digital forensics professional.

Disclaimer

This blog is intended for my digital forensic needs and shared with everyone interested to make our world a little bit safer. This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
While all reasonable attempts have been made to ensure the accuracy of information on this blog, neither myself nor the blog’s contributors can be held responsible for any errors, inaccuracies, or incomplete information contained therein.
I reserve the right to correct, change, or update any information on this blog at any time without prior notice.